Note: This version of the topic applies to Horizon 8 Security versions 2111.2 and 2306 and later. Security-related global settings for client sessions and connections are accessible under Settings > Global Settings > Security Settings or under Settings > Global Settings > General Settings in the Horizon Console.

Table 1. Security-Related Global Settings
Setting Description
Change data recovery password

The password is required when you restore the Horizon LDAP configuration from an encrypted backup.

In VMware Horizon View environments:
  • When you install Connection Server, you provide a data recovery password. After installation, you can change this password in the console.
  • When you back up Connection Server, the Horizon LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup with the vdmimport utility, you must provide the data recovery password. The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.
Message security mode

Determines the security mechanism used when JMS messages are passed between VMware Horizon View components.

  • If set to Disabled, message security mode is deactivated.
  • If set to Enabled, legacy message signing and verification of JMS messages takes place. VMware Horizon View components reject unsigned messages. This mode supports a mix of TLS and plain JMS connections.
  • If set to Enhanced, TLS is used for all JMS connections, to encrypt all messages. Access control is also activated to restrict the JMS topics that VMware Horizon View components can send messages to and receive messages from.
  • If set to Mixed, message security mode is activated, but not enforced for VMware Horizon View components.

The default setting is Enhanced for new installations. If you upgrade from a previous version, the setting used in the previous version is retained.

Important: VMware strongly recommends setting the message security mode to Enhanced after you upgrade all connection broker instances and VMware Horizon View desktops to this release. The Enhanced setting provides many important security improvements and MQ (message queue) updates.
Enhanced Security Status (Read-only)

Read-only field that appears when Message security mode is changed from Enabled to Enhanced. Because the change is made in phases, this field shows the progress through the phases:

  • Waiting for Message Bus restart is the first phase. This state is displayed until you manually restart either all Connection Server instances in the pod or the VMware Horizon Message Bus Component service on all Connection Server hosts in the pod.
  • Pending Enhanced is the next state. After all Horizon Message Bus Component services have been restarted, the system begins changing the message security mode to Enhanced for all desktops.
  • Enhanced is the final state, indicating that all components are now using Enhanced message security mode.
Reauthenticate secure tunnel connections after network interruption

Determines if user credentials must be reauthenticated after a network interruption when Horizon Clients use secure tunnel connections to VMware Horizon View desktops and applications.

This setting offers increased security. For example, if a laptop is stolen and moved to a different network, the user cannot automatically gain access to the VMware Horizon View desktops and applications because the network connection was temporarily interrupted.

This setting is deactivated by default.

Forcibly disconnect users

Disconnects all desktops and applications after the specified number of minutes has passed since the user logged in to VMware Horizon View. All desktops and applications will be disconnected at the same time regardless of when the user opened them.

The default is 600 minutes.

For clients that support applications.

If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials

Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, VMware Horizon View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are disconnected. Users must log in again to reconnect to the applications that were disconnected or launch a new desktop or application.

If set to Never, VMware Horizon View never disconnects applications or discards SSO credentials due to user inactivity.

The default is Never.

Discard SSO credentials

Use this setting to configure the discarding of SSO credentials at a fixed time after login. After SSO credentials are discarded, a user will be prompted to authenticate to the Windows Guest Operating System when connecting to a new desktop or to a new application session on a different RDS Farm. Connections to existing Desktop and Application sessions will remain open.

If set to After ... minutes, SSO credentials will be discarded after the specified number of minutes has passed since the user logged in to VMware Horizon, regardless of any user activity on the client device. The default is After 15 minutes.

If set to Never, VMware Horizon stores SSO credentials until the user closes Horizon Client, or the Forcibly disconnect users timeout is reached, whichever comes first.

Select one or both of these checkboxes:
  • Apply to internal user connections - SSO credentials will be discarded for connections from client devices on private networks.
  • Apply to external user connections - SSO credentials will be discarded for connections from client devices on non-private networks.

By default, both checkboxes will be unchecked when Discard SSO Credentials is set to Never. Both checkboxes will be checked when Discard SSO Credentials is set to After ... minutes. You must select either one or both checkboxes in order to save your changes.
View Administrator session timeout Determines how long an idle console session continues before the session times out.
Important: Setting the console session timeout to a high number of minutes increases the risk of unauthorized use of the console. Use caution when you allow an idle session to persist a long time.

By default, the console session timeout is 30 minutes. You can set a session timeout from 1 to 4320 minutes.

Certificate Authentication Use this setting to change certificate authentication mapping to a user's Custom Alternate Security Identities attribute in active directory by specifying a Certificate Authentication Mapping Control option. Mapping types that are based on usernames and email addresses are considered weak and must be updated with one of the strong mapping types. See Configure Certificate Mappings for Certificate-Based Authentication for details.
Note: TLS is required for all Horizon Client connections and console connections to VMware Horizon View. If your VMware Horizon View deployment uses load balancers or other client-facing, intermediate servers, you can off-load TLS to them and then configure non-TLS connections on individual connection broker instances. See "Off-load TLS Connections to Intermediate Servers" in the Horizon Administration document.